AAA Considerations for Mobile Network Access - TERENA · PDF fileAAA Considerations for Mobile...
Transcript of AAA Considerations for Mobile Network Access - TERENA · PDF fileAAA Considerations for Mobile...
AAA Considerations forMobile Network Access
Malaga, November 20th, 2003
Carsten Bormann <[email protected]>
2
Overview
� WLAN Network Access Control: Technologies
� Requirements for WLAN Roaming
� Solutions and their AAA implications
3
Overview
� WLAN Network Access Control: Technologies
� Requirements for WLAN Roaming
� Solutions and their AAA implications
4
WLAN Security: Requirements
� Confidentiality (Privacy):
� Nobody can understand foreign traffic
� Note: Insider attacks as likely as outsiders‘
� Accountability:
� We can find out who did something
� Prerequisite: Authentication
6
WLAN Security: Approaches
� AP-based Security: AP is network boundary� WEP (broken), WEP fixes, WPA, …
� 802.1X (EAP variants + RADIUS) + 802.11i
� Network based Security: deep security� VPNs needed by mobile people anyway
� SSH, PPTP, IPsec� Allow development of security standards
� Some VPN technologies are IPv6 enabled
� AP-based security not needed anymore!
7
AP-based security: 802.1X
Access point (or wired Ethernet switch) acts as access control device
RADIUS server
Institution A
Internet
Authenticator
(AP or switch) UserDB
Supplicant
Guest
piet@institution_a.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
8
Intranet X
Dockingnetwork
Campusnetwork
world
VPN Gateways
DHCP, DNS, free Web
Network-basedSecurity
9
Network-based:Docking Network + VPN
� all Access Points in one docking network� use common SSID (“Uni-Bremen”)
� little infrastructure in docking network� DHCP, DNS, “free services” (internal Web)
� one VPN Gateway each for each target network� Campus Network, workgroups, possibly w/ Firewalls � decentralize� SSH, PPTP, IPsec � clients for all platforms� Gateway Cheap hardware (PC w/ Linux)
� used in many German and Swiss universities
„VPN“
10
Network-based: Hotspot-style
� Use Web server indocking network toauthenticate
� Once authenticated, opena hole in the accesscontrol device� Limited to weak security,
e.g. IP and MAC addresses
� No encryption on the air
� Used in Finland
Internet
Docking Network
AccessControl Device
AAAServer
WWW-browser
1.
2.
3.
4.
5.
„Web“
11
WLAN Access Control:Why VPN based?
� Historically, more reason to trust L3 security than L2� IPSec has lots of security analysis behind it
� Available for just about everything (Windows 98, PDA etc.)
� Easy to accommodate multiple security contexts� Even with pre-2003 infrastructure� Data is secure in the air and up to VPN gateway� Security decisions and enforcement in one place — at target
� Most of all: It just works™
12
WLAN Access Control:Why 802.1X is better� 802.1X is taking over the world anyway� The EAP/XYZ people are finally getting it right
� Only 5 more revisions before XYZ wins wide vendor support
� Available for more and more systems (Windows 2000 up)� Distribute hard crypto work to zillions of access points� Block them as early as possible
� More control to visited site admin, too!
� Easy to accommodate multiple security contexts� with Cisco 1200 and other products (to be shipped)
� Most of all: It just works™
13
WLAN Access Control:Why Web-based filtering is better� No special client software (everybody has a browser)� Ties right into existing user/password schemes� Can be made to work easily for guest users
� It’s what the hotspots use, so guest users will know it already� May be able to tie in with Greenspot etc.
� Privacy isn’t that important anyway (use TLS and SSH)� Accountability isn’t that important anyway
� Most of all: It just works™
14
Overview
� WLAN Network Access Control: Technologies
� Requirements for WLAN Roaming
� Solutions and their AAA implications
15
Users want to roambetween institutions
� TERENA TF Mobility: Roam within Europe’s NRENs*)
� 802.1X with RADIUS (AP-based)
� Access to VPN gateways (network-based)
� Web-based authentication (network-based)
� http://www.terena.nl/mobility
*)National Research and Education Networks
16
Inter-NREN WLAN Roaming
Big assumptions:� Every NREN user is equal when it comes to roaming
network access (no user profiles for guests)
� AUPs are “close enough”
� Authentication, not Authorization problem
17
Roaming:High-level requirements
Objective:
Enable NREN users to use Internet (WLAN and wired)everywhere*) in Europe
� with minimal administrative overhead (per roaming)
� with good usability
� maintaining required security for all partners
*)at participating NREN members
18
Minimize admin overhead� Very little admin work to enable roaming per user
� (preferably none)� both for home network and even more so for visited network
� No admin work required per roaming occurrence
� Minimize the complexity of additional systems required� (consider architecture at the involved institutions)� must integrate with existing AAA systems, e.g., RADIUS� no n2 work required when scaling system
� No regulatory entanglement
19
Good usability
� Available to most current WLAN (and wired) users� standards-based; low-cost
� No additional software required to enable roaming� (software may be required for local use beforehand)� consider both Laptop and PDA usage
� Enable all work� IPv4 and IPv6� Access to home institution networks� Enable use of home addresses while roaming
� Enable local work in visited network� SLP, authorization issues/user classes?
20
Security requirements� Allow use only for approved [by who] NREN users
� Legal binding to some common terms of use
� Provide accountability� Nice to have: Provide reasonable basic (“like in wired
access”) security for individual user [cannot fulfill in allenvironments]� Confidentiality of traffic
� (not necessarily with respect to current position!)
� Integrity/guard against data manipulation and session hijacking
� Allow real security (e2e) on top (e.g., highlight thelimitations of NATs)
� Don’t aggravate security issues of visited networks
21
Security non-requirements
� No need to “protect” WLAN� ISM spectrum can’t be protected anyway
� Hard to reliably conceal positioning information
22
Overview
� WLAN Network Access Control: Technologies
� Requirements for WLAN Roaming
� Solutions and their AAA implications
23
WLAN-Roaming:VPN-based solution(s)
� Just interconnect the docking networks� users can connect to home gateway from any site
�Extended Docking Network
� AAA decision and resulting access remains at home
24
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
VPN roaming:Extended Docking Network
G-WiN
Interconnect docking networks. Clientsleave through home network/gateway.
25
Wboneinterconnecting docking networks
RBriteline
Uni Bremen172.21/16
HS Bremen172.25/16
HfK
HS Brhv.10.28.64/18
IPSec
Cisco
IPSec/PPTP/SSH
Linux
IPSec
Cisco
PPTP
Linux
IPSec
Cisco
PPTP
Linux
PPTP
Linux
PPTP
Linux
AWI
extend to other sites ...
26
AAA Implications of theExtended Docking Network
� All AAA issues stay local� VPN Gateways decide locally whom they admit
� Guest user uses home IP address� Home is contact point of any incident enquiries
� Can use IP address for (weak) authentication
� Remaining problem:building the Extended Docking Network� People problem: Network Management != WLAN staff…
27
Extended Docking Network:Moving to Europe
� Scale private address architecture to European level?� Do all this in public, routable address space instead!
� Separate docking networks from controlled address spacefor gateways (CASG*)� Docking networks allow packets out to and in from CASG
� Need to add access control device (such as router with ACL)
� Nicely solve the transit problem in the process
*) née “relay network” (Ueli Kienholz)
28
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
The big bad
Internet
CASG
802.1X @ SURFnet
VPN + Certificates@ FCCN
VPN @ University of Bremen
& SWITCH
Originators of National Roaming solutions across Europe
PPPoE/Linux @University of Bristol &
The University of Swansea
Web-based redirection @ FUNET
With apologies for the map
32
Cross-domain 802.1X with VLAN assignment
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time passwords are alsotransmitted via SMS to guest users.
A RADIUS Hierarchy is under construction to scale this to a European wide solution.
RADIUS server
Institution B
RADIUS server
Institution A
Internet
Central RADIUS
Proxy server
Authenticator
(AP or switch) UserDB
UserDB
Supplicant
Guest
piet@institution_b.nl
StudentVLAN
GuestVLAN
EmployeeVLAN
data
signalling
33
RADIUS based Web authentication solution
Internet
Docking Network
AccessControl Device
AAAServer
WWW-browser
1.
2.
3.
4.
5.
RADIUS based Web interfaceauthentication at the Universityof Tampere
The Finnish are scaling their solution byusing a hierarchy of RADIUS proxy serversfor their national infrastructure
34
TF-Mobility Recommendations� Define interoperability scenarios for each national solution and identify work needed to integrate these
solutions and three development streams together.
� A phased development / testing approach
Resolve scaling andinteroperability issuesfor 802.1x, VPN, web-
based redirect
Consolidatefindings intoa trial report
Build and scale a RADIUSproxy hierarchy for non-VPN
AAA
Conduct feasibilitytests on creatingan scalable VPN
solution
Subject tofeasibility, buildthe proposed
CASG solution
Extend to VPN in parallel
Work on software changes toRoamnode (PPPoE/Linux) to
facilitate roaming
The testing of inter-NREN roaming solutions has already started !
SURFnet
FCCN
FUNET
RADIUS proxy hierarchy established (geographic view)
RADIUS Proxy servers connecting to a European level RADIUS proxy server
University of Southampton
(DFN) • Participationguidelines arebeing drafted
• Aim is toincreasemembership.Norway,Slovenia,Czech Republic& Greece haveindicated theirwillingness tojoin.CARnet
With apologies for the map, again
36
OrganizationalRADIUS Server
OrganizationalRADIUS Server
Top-levelRADIUS
Proxy Server
Top-levelRADIUS
Proxy Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
University ofSouthampton
Currentlyhosted atSURFnet
Currentlylinked toFCCN,Portugal
Currentlylinked toCARNET,Croatia
BackupTop-levelRADIUS
Proxy Server
BackupTop-levelRADIUS
Proxy Server
etlr1.radius.terena.nl (192.87.36.6)
etlr2.radius.terena.nl (195.169.131.2)Organizational
RADIUS Server
OrganizationalRADIUS Server
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
Currentlylinked toSURFnet,Netherlands
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
Currentlylinked toFUNET,Finland
RADIUS proxy hierarchy established (network topology view)
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
OrganizationalRADIUS Server
OrganizationalRADIUS Server
FOKUS(Berlin)
NationalRADIUS
Proxy Server
NationalRADIUS
Proxy Server
37
AAA Implications ofRADIUS Hierarchy
� Need standard form of NAI (Network Acess Identifier)� [email protected] (RFC2486 style)
Where Username/Password is used:
� Inter-RADIUS server security issue� Solvable by IPSec
� Inter-RADIUS server/Web server trust issue� Do I trust the Web authentication service of a random Hotspot?
� What kind of TLS certificate do these use?
38
Interoperability?
� Both Web and .1X can use RADIUS hierarchy� VPN gateways can actually use it, too
� VPN sites probably want to add Web-based filtering� Helps Web and .1X users, if connected to RADIUS hierarchy
� Web-based sites easily can add CASG access� By using RADIUS hierarchy, .1X users are fine
� .1X sites with Cisco 1200 can add “docking VLAN”� CASG access and Web-based filtering to accommodate visitors
YESbut lo
ts of political problems
40
Q & A
�http://www.terena.nl/mobility/